This is a friendly reminder to all covered entities that, by March 1, 2017, they must report to the Secretary of Health and Human Services any breaches of unsecured protected health information (PHI) that were discovered in 2016 and involved fewer than 500 individuals.

The FAR Council issued a final rule, effective January 19, 2017, which will broadly require specific privacy training, and annual re-training, for contractor or subcontractor personnel dealing with "personally identifiable information" (PII).

The HHS OCR recently announced a settlement with Presence Health Network (Illinois) for failing to comply with the Data Breach Notification Rule because it failed to provide notice of a data breach within the required 60 days.

Ransomware has become a major threat to electronic records systems worldwide. The US government reported recently that there have been 4,000 daily ransomware attacks so far in 2016! This represents a 300% increase to the number of attacks that occurred in 2015.

The AKS EHR safe harbor specifically prohibits anyone donating EHR from taking "any action to limit or restrict the use, compatibility, or interoperability of the [donated] items or services with other [EHR] systems."